On Oct 31, 2023, at 3:12 AM, Jan-Frederik Rieckers <rieck...@dfn.de> wrote: > But actually I don't know if **provisioning** the credentials in-band is such > a good idea. > Because, in order to provision the credentials, the user needs to prove that > they are authorized, and how would they do that?
That was one of the issues raised about TEAP. The answer there is "use passwords to provision certificates". That's pretty much how passkey works on the web, So it's not a terrible answer. > Send a password together with their provisioning request? > This is not secure, since the user can again type in a wrong domain and this > way unintentionally give the password away to a malicious third party. If the realm is verified against the server cert, and the server cert is verified against a known CA, it's less of an issue. > And regarding the "oh, but now the RADIUS admins need to talk to the web > admins" argument: > The RADIUS admins already need to talk to the IdM admins to gain access to > the user database (esp. if password-based authentication methods are used). > So if the RADIUS and web admins don't want to talk to each other: fine, they > don't need to. The web admins just need to provision the FIDO token and write > them back to the IdM database and the RADIUS admins can access the FIDO > public keys from the database. I agree. > With the current movement the FIDO alliance is pushing this is actually a > great step, because the FIDO Passkey that is already provisioned for logging > into the account in the web can now simply be used for network access as well. That is my hope. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
